• Require businesses and organizations to track data breaches — events in which personal information might be lost or stolen — and report them to consumers and the privacy commissioner if they pose a “real risk of significant harm to an individual,” for example, if they could lead to identity theft. Non-compliance would be punishable by fines of up to $100,000.

• Give new powers to the privacy commissioner to help uphold privacy laws. Specifically, the commissioner will be able to negotiate voluntary but binding compliance agreements with organizations that commit to taking action on privacy violations. The commissioner and private complainants would also be able to ask the Federal Court of Canada to order compliance or award damages to someone harmed by a privacy violation up to a year after an investigation. And the commissioner will have more flexibility to release information about non-compliant organizations if it is in the public interest.

• Require businesses and organizations to “communicate clearly” when obtaining consent for collecting and using their personal information; and to consider whether their target audience, such as children, can understand the consequences of sharing their information.

• Allow for the sharing of personal information without explicit consent to help protect individuals from harm, such as seniors suspected of being financially abused or to detect and prevent fraud.

• Make it easier for businesses to collect, use and share information to manage employees, conduct due diligence when buying another company, or process insurance claims.

Charmaine Borg, digital issues critic for the NDP [Canada’s New Democratic Party], said, “Overall, these are good first steps.” Borg, MP for the Quebec riding [electoral district] of Terrebonne-Blainville, added, “We have been pushing for these measures and I’m happy to see them introduced.” However, she said she would have liked to see the legislation go a bit further.

In particular, she said, she was disappointed that consumers and the privacy commissioner only need to be notified of a data breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” Borg called that “a little bit of a high threshold.”

She also doesn’t like the fact that organizations have to evaluate the risk for themselves. While most large companies have a privacy officer, the evaluation “might be a little hard for mom-and-pop shops who are affected, but who might not have the privacy expertise to make that assessment themselves.”

She had previously proposed in a private member’s bill that data breaches be reported to the privacy commissioner if they posed a potential risk, and the commissioner’s office would use their expertise to determine if consumers should be notified.

Borg thought the proposals regarding privacy agreements and new enforcement powers for the privacy commissioner were also good steps forward, although she would have liked them to have been “a little stronger.”

The office of the privacy commissioner of Canada has long advocated for updates to Canada’s privacy laws, including some of those in the new bill.

Interim Privacy Commissioner Chantal Bernier said at first glance, the bill contains “some very positive developments,” especially with regard to mandatory data breach notification, new penalties, and “provisions that will make it easier for my office to ensure that companies carry through on commitments they have made during investigations.”

Subscribe

Share

Tags

From The Blog

The ThreatMetrix Global Trust Intelligence Network’s Expansion Means More Businesses Stopping Fraud in Real Time without Customer Friction ThreatMetrix’s Global Trust Intelligence Network (The Network) enables businesses to seamlessly differentiate between trusted consumers and potential cybercriminals. This prevents hundreds of millions of dollars in fraud losses globally, without impacting the customer experience for legitimate users. 15 billion transactions analyzed by end of 2015 Using The Network, ThreatMetrix® expects to analyze more than 15 billion total transactions by the end of this year. This volume is…

Real-Time Web Fraud Map

See Real-time Cybercrime Prevention.
The ThreatMetrix™ Web Fraud Map shows you cyberthreats as they happen.